moonming opened a new pull request, #3409: URL: https://github.com/apache/apisix-dashboard/pull/3409
### Summary Bumps the pinned package manager from `[email protected]` to `[email protected]`. `10.10.0` falls within the affected ranges of several pnpm supply-chain advisories disclosed in June 2026. Bumping to `10.34.4` moves us out of all of them: | Advisory | Severity | Patched | |---|---|---| | [GHSA-w466-c33r-3gjp](https://github.com/advisories/GHSA-w466-c33r-3gjp) — env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes | High | 10.34.2 | | [GHSA-gj8w-mvpf-x27x](https://github.com/advisories/GHSA-gj8w-mvpf-x27x) — repository-controlled `configDependencies` can select a pacquet native install engine | High | 10.34.2 | | [GHSA-3qhv-2rgh-x77r](https://github.com/advisories/GHSA-3qhv-2rgh-x77r) — repository config can expand environment secrets into registry requests before scripts run | Medium | 10.34.2 | | [GHSA-5wx6-mg75-v57r](https://github.com/advisories/GHSA-5wx6-mg75-v57r) — manifest identity spoof satisfies `allowBuilds` and runs attacker lifecycle scripts | High | 10.34.2 | | [GHSA-qrv3-253h-g69c](https://github.com/advisories/GHSA-qrv3-253h-g69c) — path traversal in `configDependencies` env lockfile allows symlink creation outside `node_modules/.pnpm-config` | High | 10.34.4 | `10.34.4` is the lowest release that covers all five (the path-traversal fix landed in 10.34.4; the others in 10.34.2). ### Changes - `package.json`: `packageManager` → `[email protected]` with the SHA-512 integrity of the 10.34.4 npm tarball. No dependency or `pnpm-lock.yaml` changes are required — all pnpm 10.x releases share lockfile v9, and no dependencies change. ### Notes There is no evidence this repository was compromised; these are design-level advisories with no malicious-package IOCs. This is a precautionary version bump out of the affected range. ### Checklist - [x] Did you explain what problem does this PR solve? Or what new features / functionality will this PR add? - [x] Did you add corresponding test cases? — N/A, package-manager version bump only. - [x] Did you update the corresponding documentation? — N/A. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
